After switching from Windows to CachyOS on my gaming laptop and seeing how easy it would be to activate secure boot with systemd-boot as boot manager, I decided to re-install Arch Linux on my main computer and give it a new disk layout.

As always, depending on hardware and personal requirements, your milage may vary, but this is how it worked for me (using installation image of February 2026). Also, make sure to always check Arch Linux’ official documentation.

Preparations

Download the latest installation image from here and make sure to verify the downloaded image. Then copy it to an USB flash drive:

sudo dd bs=4M if=/path/to/archlinux-<VERSION>-x86_64.iso of=/dev/sd<X> conv=fsync oflag=direct status=progress

Make sure to get /dev/sd<X> right!

Also, make sure to disable secure boot in your computer’s UEFI setup and then go ahead and boot Arch from the newly created UBS flash drive.

Installation

Network connection

Once Arch is running from the flash drive, you’re automatically logged in as root. Set your keyboard layout, in my case “German” (I have to type “z” instead of “y”):

loadkeys de

From now on my keyboard will work as expected. :-) Next, get your network connection up and running. If it’s wired, it will most likely work already, if it’s wireless, run iwctl. See help here (replace wlan0 if your’s named differently):

iwctl
[iwd]# device list
[iwd]# station wlan0 scan
[iwd]# station wlan0 get-networks
[iwd]# station wlan0 connect <SSID>
[iwd]# station wlan0 show

Verify that it’s wokring by pinging any host.

Date & time

Verify your systemtime is OK by running:

timedatectl

Disk layout

So this is the part where you will lose all your data currently stored on your main disk. Make sure you have a backup!

Depending on your hardware, your disk name might differ. In my case it’s a NVMe SSD disk: /dev/nvme0n1. Choose your preferred partitioning tool, I opted for cfdisk:

cfdisk /dev/nvme0n1

Make sure you create a GPT partition layout and then create two partitions:

  • first one will be our EFI partition (~ 1-2 GB) => make sure to set the partition type to “EFI”!
  • second one will be our encrypted partition (all remaining space of the disk) => partition type: keep standard Linux

Save your layout end exit cfdisk.

Filesystems and encryption

EFI partition

The first partition will be the EFI partition and thus needs to be formated as FAT32:

mkfs.fat -F 32 /dev/nvme0n1p1

LUKS + btrfs

Now, the configuration of the second partition will take a little bit more effort. First we will encrypt it and then we’ll create btrfs subvolumes. To encrypt the second partion, execute:

cryptsetup luksFormat /dev/nvme0n1p2     # choose a good password here!

Open the newly encrypted partition. I’ve chosen to allow discards, which might slightly decrease security, so you can omit that part:

cryptsetup --allow-discards --persistent open /dev/nvme0n1p2 mycrypt

Name it whatever you like, I’ve chosen mycrypt here in this example. At this point we can create a btrfs filesystem on the new device:

mkfs.btrfs /dev/mapper/mycrypt

Let’s temporarily mount the new filesystem and create subvolumes:

mount /dev/mapper/mycrypt /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
umount /mnt

Create as many subvolumes as you like, but those two should be fine already. As of yet, we can mount the root filesystem, this time with all desired mount options. Then we can add the required mount points and mount the remaining partitions:

mount -o noatime,ssd,space_cache=v2,compress=zstd,subvol=@ /dev/mapper/mycrypt /mnt
mkdir /mnt/boot
mkdir /mnt/home
mount -o noatime,ssd,space_cache=v2,compress=zstd,subvol=@home /dev/mapper/mycrypt /mnt/home
mount /dev/nvme0n1p1 /mnt/boot

Please check for yourself if those mount options are the ones you really want. For me they are working fine.

Install the base system

We now have our filesystems ready and can proceed with installing the base system. You might want to edit /etc/pacman.d/mirrorlist or just keep it as is. Keep in mind, this is the only file which will be copied to your installed system.

Let’s get some packages installed:

pacstrap -K /mnt base linux linux-firmware intel-ucode networkmanager firewalld sudo btrfs-progs efibootmgr cryptsetup man-db man-pages vim

Please note:

  • if you prefer the LTS kernel, replace linux with linux-lts
  • if you have an AMD CPU, replace intel-ucode with amd-ucode
  • add anything you think is useful

Then generate fstab:

genfstab -U /mnt >> /mnt/etc/fstab

You might want to edit /mnt/etc/fstab once it’s generated. I replaced dmask=0022 and fmask=0022 with umask=0077 for security reasons, as I don’t want /boot to be world readable.

Configure the newly installed system

Now let’s chroot into the new system by:

arch-chroot /mnt

Set the timezone

First, set the correct timezone and generate /etc/adjtime. In may case:

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
hwclock --systohc

Locales

To generate the correct locales, remove # in /etc/locale.gen where appropriate. In my case it’s de_DE.UTF-8 UTF-8. Then execute:

locale-gen

Next, create /etc/locale.conf with your desired language setting. For me:

echo "LANG=de_DE.UTF-8" >> /etc/locale.conf

Set a keyboard layout:

echo "KEYMAP=de" >> /etc/vconsole.conf

If you’re planning on using Gnome with GDM, add:

echo "XKBLAYOUT=de" >> /etc/vconsole.conf

Hostname

Set your hostname by:

echo your_hostname >> /etc/hostname

Create initramfs

As we’re using an encrypted root partition, we need to modify /etc/mkinitcpio.conf, specifically the “HOOKS=” line. The default is now systemd anyway, so make sure to add “sd-encrypt” before “filesystems”. It should look something like this:

HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block sd-encrypt filesystems fsck)

Then, actually create a new initramfs:

mkinitcpio -P

Set a password for root

Choose a good root password:

passwd

Install systemd-boot

You do not need to install additional packages to install systemd-boot as it already comes with the base system. However, you still need to install it to the EFI partition and let it generate an UEFI boot entry. For that wot work, you need to logout of your chroot environment and then re-login with -S switch. Then run the install command:

exit             # logout of current chroot
arch-chroot -S   # login again
bootctl install

Ignore the warning about the world readable files/directories (will be fixed upon reboot).

We still need to configure systemd-boot by adding two configuration files:

/boot/loader/loader.conf:
-------------------------
default arch.conf
timeout 3
console-mode keep
editor no

This will tell systemd-boot to wait 3 seconds before booting whatever is configured in arch.conf. So, let’s create arch.conf. The file needs to go in /boot/loader/entries. You can start by adding just a few lines and stop after “rd.luks.name=”:

/boot/loader/entries/arch.conf:
-------------------------------
title   Arch Linux
linux   /vmlinuz-linux
initrd  /intel-ucode.img
initrd  /initramfs-linux.img
options rd.luks.name=

If you installed the LTS kernel, of course add “-lts” to the “linux” and the second “initrd” line. Also, replace “intel-ucode” by “amd-ucode” if your machine is running an AMD CPU. (I think, the ucode lines are not really required anymore, as mkinitcpio is already taking care of that with the microcode hook.)

The slightly more complicated part is to get the options right as this requires the UUID of your LUKS container partition. I did the following:

blkid | grep crypto_LUKS | cut -d '"' -f 2 >> /boot/loader/entries/arch.conf

That should add the correct UUID as last line to the configuration file. Now edit /boot/loader/entries/arch.conf again and complete the options line like this:

options rd.luks.name=<UUID>=mycrypt root=/dev/mapper/mycrypt rootflags=subvol=@ rw loglevel=3 initcall_blacklist=simpledrm_platform_driver_init

The initcall_blacklist=simpledrm_platform_driver_init part is disabling a second “ghost” screen. However, if you’re unsure omit that part, you can add it any time later as well.

Enable services

You might want to enable some services now:

systemctl enable systemd-boot-update.service
systemctl enable NetworkManager
systemctl enable firewalld

If you don’t want NetworkManager to create a random MAC address for your wireless interface, add a configuration file:

/etc/NetworkManager/conf.d/wifi_rand_mac.conf:
----------------------------------------------
[device]
wifi.scan-rand-mac-address=no

Reboot

Logout of the chroot environment again, umount partions and reboot… The moment of truth!

exit
umount -R /mnt
reboot

First boot

If all went well you should be asked for your disk encryption password upon boot which you’ve chosen earlier during “cryptsetup luksFormat” command. Once the system is up, login as root.

Adding a user

Now might be a good opportunity to add a personal user:

YOUR_USER_NAME=<WHATEVER_YOU_CHOOSE>
groupadd ${YOUR_USER_NAME}
useradd -m -s /usr/bin/bash -d /home/${YOUR_USER_NAME} -g ${YOUR_USER_NAME} -c "<YOUR FULL NAME>" ${YOUR_USER_NAME}
passwd ${YOUR_USER_NAME}
usermod -aG wheel

Now edit sudoers to grant sudo privileges to your user:

pacman -S ex-vi-compat
visudo

Remove the comment from line “%wheel ALL=(ALL:ALL) ALL” and save the file. You can now logoff as root and login as the new user.

Network connection

Again, if you have a wired network connection, all should be set already. If you have a wireless setup, run nmcli to connect to a wireless LAN (s. also here):

nmcli device wifi list
nmcli --ask device wifi connect <SSID>
nmcli connection show

Secure boot

Let’s configure secure boot now! You need to enable Setup mode in your UEFI firmware’s secure boot setting. So reboot, enter your UEFI setup and follow the appropriate steps for your firmware. In my case, I was not able to get it into Setup mode, so I added the certificates manually. You will probably not have that same issue though. Once done, boot back into Arch and install sbctl:

sudo pacman -S sbctl

Please see Arch wiki here for detailed instructions.

If you successfully enabled secure boot setup mode or not, the first steps are identical. Check the current status and create your personal keys:

sudo sbctl status
sudo sbctl create-keys

The “status” command should show that sbctl is not installed and Setup Mode is enabled (if you were able to). In case you could enable setup mode, you can go ahead and enroll the keys:

sudo sbctl enroll-keys -m

-m” will add Microsoft’s certificates. Omit that only if you know what you are doing! Check the status again (sbctl status).

If you were not able to enable setup mode, simply skip the enroll step above.

In the next step we need to sign all the important files with the keys we just created. To find the files which need to be signed, execute:

sudo sbctl verify

For each file printed by this command, sign it by:

sudo sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
sudo sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
sudo sbctl sign -s /boot/vmlinuz-linux

The above my vary on your system!

Additionally sign the boot loader (s. here):

sudo sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi

In case you were able to get secure boot into setup mode you should be good to go. You can verify by sbctl status. However, in my case, it required some extra steps:

First, I converted the certificates from PEM to DER and saved them to the /boot partition (the only partition which is readable by UEFI firmware):

sudo mkdir /boot/certs
sudo openssl x509 -outform der -in /var/lib/sbctl/keys/db/db.pem -out /boot/certs/db.der
sudo openssl x509 -outform der -in /var/lib/sbctl/keys/KEK/KEK.pem -out /boot/certs/KEK.der
sudo openssl x509 -outform der -in /var/lib/sbctl/keys/PK/PK.pem -out /boot/certs/PK.der

Then I entered my computers UEFI firmware and imported the certificates. I did not need Microsoft’s certificates in my case. Upon booting Arch Linux again, sbctl status displayed “Secure Boot: Enabled”!

Don’t forget to remove the certificates from /boot:

sudo rm -r /boot/certs

Further configuration

From here on, just go ahead and install you favorite dekstop environment. For Gnome:

sudo pacman -S gnome
sudo systemctl enable gdm.service

Reboot and login to Gnome!

If you have a Yubi Key BIO, you can use it to decrypt your drive at boot by following my earlier post.